Futterman From United States, joined Sep 2003, 1301 posts, RR: 53 Posted (4 years 2 months 3 weeks 6 days 20 hours ago) and read 595 times:
Something's fiddling with my system registry and is giving me the Internet Explorer equivalent of the blue-screen-of-death: an about:blank homepage. Can't get rid of this and I just got over another virus a few weeks ago.
I've been able to find out that the culprit(s) are probably files by the name of ATLTL32.exe and knhoo.dll (used to be "zmtlw.dll" but I deleted it). I believe these file names change from case to case, so they're not necessairily all that useful in their own right.
I've run HijackThis, so here's my log. I replaced all the forward slashes with carats because the former doesn't show up in the final post for whatever reason...
Quote: Logfile of HijackThis v1.99.1
Scan saved at 3:34:46 PM, on 4/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
R1 - HKCU>Software>Microsoft>Internet Explorer>Main,Search Bar = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKCU>Software>Microsoft>Internet Explorer>Main,Search Page = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Default_Page_URL = about:blank
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Default_Search_URL = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Search Bar = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Search Page = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R0 - HKLM>Software>Microsoft>Internet Explorer>Search,SearchAssistant = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKCU>Software>Microsoft>Windows>CurrentVersion>Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:>program files>google>googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:>PROGRAM FILES>ADOBE>ACROBAT 6.0>READER>ACTIVEX>ACROIEHELPER.DLL
O2 - BHO: Class - {BB32FFA6-E089-668D-E5AD-954034F388EC} - C:>WINDOWS>SYSTEM>MFCYW32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:>WINDOWS>SYSTEM>MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:>program files>google>googletoolbar1.dll
O4 - HKLM>..>Run: [MSConfigReminder] C:>WINDOWS>SYSTEM>msconfig.exe /reminder
O4 - HKLM>..>Run: [IEKT32.EXE] C:>WINDOWS>IEKT32.EXE
O4 - HKLM>..>RunServices: [Retrospect Launcher] C:>PROGRAM FILES>DANTZ>RETROSPECT>RETRORUN.EXE
O4 - HKCU>..>Run: [AIM] C:>PROGRAM FILES>AIM>aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:>PROGRA~1>MESSEN~1>MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:>PROGRA~1>MESSEN~1>MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:>PROGRAM FILES>AIM>AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
Reformatting is only a last resort, as I can definitely follow directions that will get rid of whatever this sonofabitch is. Please note that I'm using Windows ME.
Delta717 From United States, joined Mar 2000, 455 posts, RR: 1 Reply 1, posted (4 years 2 months 3 weeks 6 days 20 hours ago) and read 591 times:
Two words.
Mozilla Firefox.
Believe me...it works so well with getting rid of spyware. If Norton or HijackThis can't fix it, and you can't do anything else...start backing up your files and reformat your harddrive.
Myt332 From United Kingdom (England), joined Sep 2003, 8554 posts, RR: 87 Reply 2, posted (4 years 2 months 3 weeks 6 days 20 hours ago) and read 583 times:
Futterman From United States, joined Sep 2003, 1301 posts, RR: 53 Reply 3, posted (4 years 2 months 3 weeks 6 days 20 hours ago) and read 581 times:
Delta, it's appreciated and all, but in no way, shape, or form is that going to resolve my current issue. Will consider it when it's all said and done.
Myt, what difference does it make? Millennium sucks, I know, but I'm not spending $400 for XP and all the bootleg copies tend to fall through. I live, and my OS isn't the problem here. Shit happens to anything, my computer or yours.
Maybe I didn't make this clear. I'm looking for tech help, not stupid wisecracks and irrelevant comments.
Catatonic From United Kingdom (Wales), joined Mar 2004, 1155 posts, RR: 5 Reply 4, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 566 times:
Quoting Futterman (Reply 3): Myt, what difference does it make? Millennium sucks, I know, but I'm not spending $400 for XP and all the bootleg copies tend to fall through.
$400??? what planet are you living on? OEM version of XP Pro are about $180 all you have to do is buy a cheap mouse with it!
777DadandJr From United States, joined Feb 2005, 1504 posts, RR: 20 Reply 5, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 563 times:
First of all, it's not truly a virus. It's a Trojan Worm. Unlikely you will get rid of it. Happened to me a while ago. You would need to know all the file that the worm dropped in order to eradicate it, and that is unlikely.
You are going to have to end up doing a reformat and clean install. These worms not only f*ck up your system, but they also will render anti virus software inoperable. It won't even allow you to connect to Norton or McAfee to download updates. It can also disable your System Restore feature and any spyware/adware programs you might have. These are very nasty buggers.
If you reformat, I suggest doing a few things afterwards.
Install Spyware Blaster, and Spybot. Update once a week and run them all the time. Install a good firewall program. Try Zone Alarm, it's free. Use a good anti virus software as well, and keep it updated. Also, get Norton Ghost. After you rebuild your system and install all your core apps, run Ghost and make an image of your hard drive in pristine condition. If this ever happens again, you can copy the drive image back and be up and running again in about an hour.
Sorry to hear about this. Good Luck
Russ
My glass is neither 1/2 empty nor 1/2 full, rather, the glass itself is twice as big as it should be.
Myt332 From United Kingdom (England), joined Sep 2003, 8554 posts, RR: 87 Reply 6, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 558 times:
Futterman, you're right shit does happen and now it's happening to you. So here's what you do Jimmy. Cut your losses, go buy XP and do an over the top install. You don't lose your files (photos etc) and you have a more stable OS thus less crap. That's the difference ok?
Otherwise, rummage around around for your Millenium Edition CD ( a crapy version of 98) and extract the files you deleted. Or do a re install.
Futterman From United States, joined Sep 2003, 1301 posts, RR: 53 Reply 7, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 549 times:
Thanks, Myt, I'll put that on my fridge.
Quoting 777DadandJr (Reply 5): First of all, it's not truly a virus. It's a Trojan Worm. Unlikely you will get rid of it. Happened to me a while ago. You would need to know all the file that the worm dropped in order to eradicate it, and that is unlikely.
You are going to have to end up doing a reformat and clean install.
Hey, Russ.
I recently ended up reformatting over a similar Trojan Worm, SE.dll, but found online that people were able to get rid of it "fairly easily". I just wasn't enough of a techie to understand 100% of what was going on.
I'll look into those programs you mentioned, but a clean start is still a last resort as I'm sure somebody here knows what can be done (whether or not it'll work is a whole different issue). Thanks, though!
Concord977 From United States, joined Jan 2004, 1255 posts, RR: 43 Reply 8, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 541 times:
Brian,
You might already know about this, so disregard if this is old news.
Paste your HijackThis log into the window provided at this website and it will analyze every entry and offer some solutions for things that appear out of line.
(P.S. I pasted your log into the analyzer and it returned many items that are "safe but not necessary" and then it flagged the following items as "malware" ...)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
777DadandJr From United States, joined Feb 2005, 1504 posts, RR: 20 Reply 9, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 536 times:
Quoting Futterman (Reply 7): I recently ended up reformatting over a similar Trojan Worm, SE.dll, but found online that people were able to get rid of it "fairly easily". I just wasn't enough of a techie to understand 100% of what was going on.
Well, good luck to you Brian. I hope that will solve your problem.
Quoting Myt332 (Reply 6): Futterman, you're right shit does happen and now it's happening to you. So here's what you do Jimmy. Cut your losses, go buy XP and do an over the top install. You don't lose your files (photos etc) and you have a more stable OS thus less crap. That's the difference ok?
I don't think an overlay install of XP will do the trick. If this is a Trojan worm, the files will not be over written and what you'll end up with is a new copy of XP with a Trojan. The up side is, if you do get yourself a copy of XP, then YES, by all means, do a clean install. You will thank yourself in the morning. And BTW, you needn't buy a "full" version of XP. You can buy an upgrade version and still do a clean install without having to reinstall that piece of sh*t ME first, and save yourself $100 in the process.
Russ
My glass is neither 1/2 empty nor 1/2 full, rather, the glass itself is twice as big as it should be.
Airlinelover From United States, joined Jun 2001, 5580 posts, RR: 39 Reply 10, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 529 times:
Futterman, first thing you need to do is backup and format.
Second: Go buy an UPGRADE for Win XP, then install it FRESH on your system. All it MIGHT ask for is that you put in a disc proving you have a previous version of windows.
Third- DITCH IE! Netscape or Firefox is great.
If you have any questions, email me via my profile.
Chris
Lets do some sexy math. We add you, subtract your clothes, divide your legs and multiply
Myt332 From United Kingdom (England), joined Sep 2003, 8554 posts, RR: 87 Reply 12, posted (4 years 2 months 3 weeks 6 days 19 hours ago) and read 524 times:
Quoting 777DadandJr (Reply 9): I don't think an overlay install of XP will do the trick.
All depends what futterman has done to his PC and what 'virus' he has this time. He sounds pretty inept so maybe you're right. Format the HD, wipe your files. Just don't ask us how to back up everything as well.
MD11Engineer From Germany, joined Oct 2003, 10009 posts, RR: 65 Reply 14, posted (4 years 2 months 3 weeks 6 days 17 hours ago) and read 491 times:
Change your operating system to something less virusfriendly, e.g. Linux. Ok, I´m not playing games, but I discovered that for almost every (the only exemtions are my low cost scanner, which´s manufacturer refuses to hand out certain data to the Linux crowd and some route planning software) utility I used under Windows,I could find a Linux counterpart, and usually much cheaper, if not free.
Catatonic From United Kingdom (Wales), joined Mar 2004, 1155 posts, RR: 5 Reply 15, posted (4 years 2 months 3 weeks 6 days 17 hours ago) and read 491 times:
Quoting Sovietjet (Reply 13): Lol my copy of XP works fine...$0 just go burn your friend's XP or just use your friend's CD it doesn't matter. Try Kaspersky antivirus too.
TUT!!! You Russians are costing poor Bill Gates a small fortune in piracy! BTW how did you get past the Product Activation?
Manzoori From Christmas Island, joined Sep 2002, 1499 posts, RR: 43 Reply 16, posted (4 years 2 months 3 weeks 6 days 17 hours ago) and read 488 times:
Brian,
Have you tried Adaware or Spybot to get rid of the offending Trojan? These can sometimes help.
Regards,
Rez
Flightlineimages DOT Com Photographer & Web Editor. RR Turbines Specialist
Deltaffindfw From United States, joined Sep 2003, 1236 posts, RR: 1 Reply 17, posted (4 years 2 months 3 weeks 6 days 17 hours ago) and read 483 times:
Futterman -
This just happened to me last week. Check out this site. It gives you a lot of details.
Futterman From United States, joined Sep 2003, 1301 posts, RR: 53 Reply 18, posted (4 years 2 months 3 weeks 6 days 13 hours ago) and read 472 times:
I ended up going through http://www.hijackthis.de--their (English) forum is pretty damn good. I got a decently swift response and, after following some simple directions, got this thing taken care of. No reformatting whatsoever. If it means anything to anyone, this is the latest HJT log (yes, still with Millennium):
Quote: Logfile of HijackThis v1.99.1
Scan saved at 10:34:26 PM, on 4/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Sponsor Message: 
From United States, joined Sep 2003, 1301 posts, 
.gif){kind=small}
From United Kingdom (England), joined Sep 2003, 8554 posts, 
.gif){kind=small}
From United Kingdom (Wales), joined Mar 2004, 1155 posts, 
From Germany, joined May 2004, 260 posts, 
From Bulgaria, joined Mar 2003, 1789 posts, 
From Christmas Island, joined Sep 2002, 1499 posts, 
Printer friendly format 
